block 1: critical ship-blockers (upload cap, auth hardening, bounded workq, scoped search) (#60)

* feat(api): cap multipart upload size via MaxBytesReader

New server.max_upload_bytes config (default 100 MiB, env
DOCSIQ_SERVER_MAX_UPLOAD_BYTES). Upload handler wraps request body
with http.MaxBytesReader before ParseMultipartForm so oversized
requests terminate at the transport with 413 instead of allocating
memory or temp files.

Closes the P2-1 TODO in handlers.go.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(api): address Task 1 code-review feedback

- Drop double WriteHeader in *http.MaxBytesError branch
  (MaxBytesReader already committed the 413)
- Test asserts JSON contract + Content-Type header
- New TestUploadMaxBytes_UnknownContentLength covers the
  chunked/unknown-length slow path
- Extract writeTooLarge helper (DRY the 413 body)
- Comment limit<=0 escape hatch on the config field
- slog.Warn on oversize reject (matches repo convention)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(serve): refuse insecure default on non-loopback bind

validateServeSecurity fails startup when server.api_key is empty AND
server.host is not loopback. Loopback+empty emits a prominent slog
warning instead. Closes the "auth-disabled-by-default" ship-blocker.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(serve): address Task 2 code-review feedback

- Refuse empty server.host (binds all interfaces, not loopback)
- Use net.ParseIP().IsLoopback() to accept [::1], 127.0.0.0/8,
  and ::ffff:127.0.0.1 as loopback
- Table-driven tests cover new hosts + empty-string case
- Assert DOCSIQ_SERVER_API_KEY is named in the refusal message
- gofmt

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(workq): bounded worker pool with graceful drain

New internal/workq package. Pool has fixed worker count and a
bounded submission queue; Submit is non-blocking and returns
ErrQueueFull when saturated. Close(ctx) cancels the pool context
and waits for workers to drain within the caller's deadline.

Preparing to replace fire-and-forget upload indexing goroutine.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(workq): guard Submit against send-on-closed-channel race

RWMutex guards the jobs-channel send in Submit against a concurrent
Close that calls close(p.jobs). Previously a Submit that passed the
p.closed check could be preempted and then send on an already-closed
channel. Add a stress test (50 iterations x 32 concurrent Submits +
Close) to exercise the race under `-race`.

Modernize the iteration count in TestPool_CloseDrainsInflight to
Go 1.22's for-range-N form.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(api): submit upload indexing through workq with graceful drain

Upload handler now submits the indexing closure to a bounded workq
Pool instead of spawning a detached goroutine. When the queue is full
the handler returns 503 with Retry-After: 30. On shutdown, cmd/serve
calls pool.Close with a 30s deadline so in-flight jobs honour the
cancelled context and partial writes are avoided.

Config: server.workq_workers (default NumCPU), server.workq_depth
(default 64).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(api): address Task 4 code-review follow-ups

- upload(): set progress to rejected state before writing 503
  when workq.Submit returns ErrQueueFull or ErrClosed, so
  progress polling reflects the rejection instead of stale
  "queued" forever.
- upload_workq_test.go: defer close(block) after defer
  pool.Close so drain completes even if the test panics.
  Also add started-channel sync and fill both channel slots
  (capacity = Workers+QueueDepth = 2) so saturation is
  deterministic under the race detector.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(api): silence unused-parameter lint in upload_workq_test

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(api): session cookie path alongside bearer auth

New POST /api/session exchanges an Authorization: Bearer key for a
docsiq_session httpOnly; Secure; SameSite=Strict cookie (30-day
Max-Age). DELETE /api/session clears it. Auth middleware now accepts
either the Authorization header or the cookie; /api/session itself is
public (it is the auth boundary).

Preparing to stop injecting the key into served HTML.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(api): defense-in-depth symmetry for session auth

- bearerAuthMiddleware: explicitly reject when server.api_key
  is unset, matching newSessionHandler's guard. Previously
  correct only via the no_token branch firing first; fragile
  under refactor.
- extractToken: trim whitespace from the session cookie value
  for parity with the Authorization header path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(ui): cookie-based auth; stop reading bearer from DOM

apiFetch now sends credentials: 'include' on every request; the
Authorization header is no longer attached. On boot, initAuth
exchanges the legacy meta-tag bearer (if present) for a cookie via
POST /api/session exactly once and scrubs the meta tag. Production
installs that already ship cookies out-of-band (via `docsiq login`)
skip the exchange entirely.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(ui): surface session-exchange failures, scrub meta tag first

- Check res.ok on POST /api/session. Non-2xx rejects sessionReady
  so the UI sees a single clear auth-boundary failure instead of
  a cascade of generic 401s on subsequent fetches.
- Scrub the legacy meta tag BEFORE awaiting the fetch. The bearer
  is already captured as a closure param; leaving the tag in the
  DOM during a slow/hung exchange widens the disclosure window.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(api): stop injecting API key into served HTML

The SPA handler no longer rewrites index.html to embed the bearer in
a <meta name="docsiq-api-key"> tag. Browser auth now flows through
the docsiq_session cookie set by POST /api/session. Closes the
"API-key-in-HTML" ship-blocker.

The stale spa_meta_test.go asserted the injection was present and
is replaced by spa_test.go which asserts the tag is absent.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* perf(search): scope entity fetch to top-hit docs in local search

Replaces the full-table AllEntities scan with EntitiesForDocs, which
joins the entities → relationships tables and filters by
relationships.doc_id with a chunked IN-list (chunk size 900, below
SQLite's 999 variable limit). Local search now scales sub-linearly
with corpus size.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(ui): drop legacy meta-tag read in MCP hook, use cookie auth

useMCP had its own getBearer() reading the docsiq-api-key meta tag
and attaching Authorization to /mcp requests — a parallel path that
Tasks 5-7 missed. Now the hook sends credentials: 'include' and
relies on the docsiq_session cookie, matching apiFetch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aksOps

cmd/serve.go

@@ -9,15 +9,19 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
+	"runtime"
+	"strings"
 	"syscall"
 	"time"
 
 	"github.com/RandomCodeSpace/docsiq/internal/api"
+	"github.com/RandomCodeSpace/docsiq/internal/config"
 	"github.com/RandomCodeSpace/docsiq/internal/embedder"
 	"github.com/RandomCodeSpace/docsiq/internal/llm"
 	"github.com/RandomCodeSpace/docsiq/internal/project"
 	"github.com/RandomCodeSpace/docsiq/internal/sqlitevec"
 	"github.com/RandomCodeSpace/docsiq/internal/vectorindex"
+	"github.com/RandomCodeSpace/docsiq/internal/workq"
 	"github.com/spf13/cobra"
 )
 
@@ -140,11 +144,25 @@ var serveCmd = &cobra.Command{
 			}
 		}
 
+		workers := cfg.Server.WorkqWorkers
+		if workers <= 0 {
+			workers = runtime.NumCPU()
+		}
+		depth := cfg.Server.WorkqDepth
+		if depth <= 0 {
+			depth = 64
+		}
+		pool := workq.New(workq.Config{Workers: workers, QueueDepth: depth})
+
 		router := api.NewRouter(prov, emb, cfg, registry,
 			api.WithProjectStores(stores),
 			api.WithVectorIndexes(vecIndexes),
+			api.WithWorkq(pool),
 		)
 
+		if err := validateServeSecurity(cfg); err != nil {
+			return err
+		}
 		addr := fmt.Sprintf("%s:%d", cfg.Server.Host, cfg.Server.Port)
 		ln, err := net.Listen("tcp", addr)
 		if err != nil {
@@ -177,6 +195,17 @@ var serveCmd = &cobra.Command{
 			slog.Error("❌ shutdown error", "err", err)
 			return err
 		}
+
+		// Drain workq within its own 30s deadline. Server.Shutdown has already
+		// stopped accepting new HTTP requests, so no new jobs can be submitted;
+		// all that remains is letting in-flight pipelines finish or honour the
+		// cancelled ctx.
+		drainCtx, drainCancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer drainCancel()
+		if err := pool.Close(drainCtx); err != nil {
+			slog.Warn("⚠️ workq drain timeout; some indexing jobs were cancelled mid-flight", "err", err)
+		}
+
 		slog.Info("✅ shutdown complete")
 		return nil
 	},
@@ -187,3 +216,33 @@ func init() {
 	serveCmd.Flags().StringVar(&serveHost, "host", "", "Server host (overrides config)")
 	serveCmd.Flags().IntVar(&servePort, "port", 0, "Server port (overrides config)")
 }
+
+// validateServeSecurity refuses to start the server when the API key is
+// empty AND the bind host is not loopback. An unauthenticated service
+// exposed on the network is almost never intentional; make it explicit.
+// Loopback with empty key gets a prominent warning at boot instead.
+func validateServeSecurity(cfg *config.Config) error {
+	if cfg.Server.APIKey != "" {
+		return nil
+	}
+	host := strings.ToLower(strings.TrimSpace(cfg.Server.Host))
+	if host == "" {
+		return fmt.Errorf(
+			"server.api_key is empty and server.host is unset (binds all interfaces); refusing to start. " +
+				"Set DOCSIQ_SERVER_API_KEY or bind to 127.0.0.1/localhost for dev",
+		)
+	}
+	loopback := host == "localhost"
+	if ip := net.ParseIP(strings.Trim(host, "[]")); ip != nil {
+		loopback = loopback || ip.IsLoopback()
+	}
+	if !loopback {
+		return fmt.Errorf(
+			"server.api_key is empty and server.host=%q is not loopback; refusing to start. "+
+				"Set DOCSIQ_SERVER_API_KEY or bind to 127.0.0.1/localhost for dev",
+			cfg.Server.Host,
+		)
+	}
+	slog.Warn("⚠️ auth disabled (empty server.api_key); only loopback bind allowed", "host", host)
+	return nil
+}

cmd/serve_test.go

@@ -0,0 +1,87 @@
+package cmd
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/RandomCodeSpace/docsiq/internal/config"
+)
+
+func TestValidateServeSecurity_RefusesNonLoopbackWithEmptyKey(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name        string
+		host        string
+		mustContain []string
+	}{
+		{
+			name:        "empty host binds all interfaces",
+			host:        "",
+			mustContain: []string{"binds all interfaces", "DOCSIQ_SERVER_API_KEY"},
+		},
+		{
+			name:        "0.0.0.0 is wildcard",
+			host:        "0.0.0.0",
+			mustContain: []string{"api_key", "DOCSIQ_SERVER_API_KEY"},
+		},
+		{
+			name:        "public IPv4",
+			host:        "10.0.0.5",
+			mustContain: []string{"api_key", "DOCSIQ_SERVER_API_KEY"},
+		},
+	}
+	for _, tc := range cases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			cfg := &config.Config{}
+			cfg.Server.Host = tc.host
+			cfg.Server.Port = 8080
+			cfg.Server.APIKey = ""
+
+			err := validateServeSecurity(cfg)
+			if err == nil {
+				t.Fatalf("host=%q: expected error for empty api_key on non-loopback bind; got nil", tc.host)
+			}
+			for _, want := range tc.mustContain {
+				if !strings.Contains(err.Error(), want) {
+					t.Errorf("host=%q: error should contain %q; got %v", tc.host, want, err)
+				}
+			}
+		})
+	}
+}
+
+func TestValidateServeSecurity_AllowsLoopbackWithEmptyKey(t *testing.T) {
+	t.Parallel()
+	hosts := []string{
+		"127.0.0.1",
+		"localhost",
+		"::1",
+		"[::1]",            // bracketed IPv6
+		"127.0.0.2",        // other address in 127.0.0.0/8
+		"::ffff:127.0.0.1", // IPv6-mapped IPv4
+	}
+	for _, host := range hosts {
+		host := host
+		t.Run(host, func(t *testing.T) {
+			t.Parallel()
+			cfg := &config.Config{}
+			cfg.Server.Host = host
+			cfg.Server.APIKey = ""
+			if err := validateServeSecurity(cfg); err != nil {
+				t.Fatalf("host=%s: expected nil; got %v", host, err)
+			}
+		})
+	}
+}
+
+func TestValidateServeSecurity_AllowsNonLoopbackWithKey(t *testing.T) {
+	t.Parallel()
+	cfg := &config.Config{}
+	cfg.Server.Host = "0.0.0.0"
+	cfg.Server.APIKey = "s3cret"
+	if err := validateServeSecurity(cfg); err != nil {
+		t.Fatalf("expected nil; got %v", err)
+	}
+}

internal/api/auth.go

@@ -50,17 +50,31 @@ func bearerAuthMiddleware(apiKey string, next http.Handler) http.Handler {
 			return
 		}
 
-		raw := strings.TrimSpace(r.Header.Get("Authorization"))
-		const prefix = "Bearer "
-		if !strings.HasPrefix(raw, prefix) {
+		// /api/session is the auth boundary itself — always public.
+		if path == "/api/session" {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		// Defense-in-depth: reject immediately if the server has no key
+		// configured. This mirrors newSessionHandler's guard and keeps the
+		// middleware correct under future refactors (rather than relying on
+		// the no_token branch firing because keyBytes would also be empty).
+		if apiKey == "" {
+			slog.Warn("🔒 auth failure", "path", path, "remote_addr", r.RemoteAddr, "reason", "server_misconfigured")
+			writeJSON401(w)
+			return
+		}
+
+		token := extractToken(r)
+		if token == "" {
 			slog.Warn("🔒 auth failure",
 				"path", path,
 				"remote_addr", r.RemoteAddr,
-				"reason", "no_bearer_prefix")
+				"reason", "no_token")
 			writeJSON401(w)
 			return
 		}
-		token := raw[len(prefix):]
 		if subtle.ConstantTimeCompare([]byte(token), keyBytes) != 1 {
 			slog.Warn("🔒 auth failure",
 				"path", path,
@@ -82,3 +96,20 @@ func writeJSON401(w http.ResponseWriter) {
 	w.WriteHeader(http.StatusUnauthorized)
 	_ = json.NewEncoder(w).Encode(map[string]string{"error": "unauthorized"})
 }
+
+// extractToken returns the bearer token from either the Authorization
+// header (preferred, for machine clients) or the session cookie (for
+// browser clients after POST /api/session). Returns "" if neither.
+func extractToken(r *http.Request) string {
+	raw := strings.TrimSpace(r.Header.Get("Authorization"))
+	const prefix = "Bearer "
+	if strings.HasPrefix(raw, prefix) {
+		return raw[len(prefix):]
+	}
+	if c, err := r.Cookie(sessionCookieName); err == nil {
+		if v := strings.TrimSpace(c.Value); v != "" {
+			return v
+		}
+	}
+	return ""
+}

internal/api/auth_test.go

@@ -515,6 +515,29 @@ func TestBearerAuthMiddleware(t *testing.T) {
 	})
 }
 
+func TestAuth_AcceptsValidCookie(t *testing.T) {
+	t.Parallel()
+	h := buildAuthHandler("s3cret")
+	req := httptest.NewRequest(http.MethodGet, "/api/ping", nil)
+	req.AddCookie(&http.Cookie{Name: sessionCookieName, Value: "s3cret"})
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+	if rr.Code != http.StatusOK {
+		t.Fatalf("want 200 with valid cookie, got %d", rr.Code)
+	}
+}
+
+func TestAuth_RejectsMissingBothHeaderAndCookie(t *testing.T) {
+	t.Parallel()
+	h := buildAuthHandler("s3cret")
+	req := httptest.NewRequest(http.MethodGet, "/api/ping", nil)
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+	if rr.Code != http.StatusUnauthorized {
+		t.Fatalf("want 401, got %d", rr.Code)
+	}
+}
+
 // BenchmarkBearerAuth_WrongKey ensures the constant-time compare path runs
 // under the benchmark harness. It is NOT a hard timing assertion — if the
 // code ever switches to a non-constant-time compare (==, bytes.Equal), the